Talkin' Bout [Infosec] News | US Cyberattacks on Venezuela

Join us LIVE on Mondays, 4:30pm EST.
A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
https://www.youtube.com/@BlackHillsInformationSecurity

Chat with us on Discord! -
https://discord.gg/bhis
🔴live-chat

🔗 Register for FREE webcasts, summits, and workshops -
https://poweredbybhis.com

In this episode, we break down the growing debate around U.S. cyber operations against Venezuela—and what it means for modern cyber warfare, critical infrastructure security, and geopolitics. The conversation explores how nation-state attacks can target a country’s power grid, the challenges of attributing cyberattacks, and why industrial control systems (ICS/SCADA) remain a high-impact battleground. We also discuss the strategic value (and risks) of disrupting energy infrastructure, how these campaigns compare to other real-world incidents, and what defenders can learn to better protect utilities and national systems.

Chapters

(00:00) - PreShow Banter™ — Undisclosed Closets
(09:07) - US Cyberattacks on Venezuela - 2026-01-05
(10:16) - Story # 1:Trump suggests US used cyberattacks to turn off lights in Venezuela during strikes
(11:14) - Story # 1b: There Were BGP Anomalies During The Venezuela Blackout
(21:06) - Story # 1c: Pizza index of war: Late-night traffic near Pentagon surges again as US strikes Venezuela
(32:40) - Story # 2: Finland seizes ship suspected of damaging subsea cable in Baltic Sea
(35:11) - Story # 3: US cybersecurity experts plead guilty to BlackCat ransomware attacks
(35:46) - Story # 4: MongoDB Vulnerability CVE-2025-14847 Under Active Exploitation Worldwide
(39:06) - Story # 5: Hackers claim to hack Resecurity, firm says it was a honeypot
(42:06) - Story # 6: NordVPN denies breach claims, says attackers have "dummy data"
(42:35) - Story # 7: Hackers say they have stolen 40 million Condé Nast Records - here's how to stay safe
(43:43) - Story # 8: Hacker Dressed As Pink Power Ranger Dismantles Racist Websites Live on Stage
(47:13) - Story # 9: NYC mayoral inauguration bans Flipper Zero, Raspberry Pi devices
(52:18) - Story # 10: Manufacturer issues remote kill command to disable smart vacuum after engineer blocks it from collecting data — user revives it with custom hardware and Python scripts to run offline
(55:15) - Story # 11: Ben Jordan Exposes Severe Security Vulnerabilities in Flock Surveillance Cameras
(57:26) - Story # 11b: We Tracked Ourselves with Exposed Flock Cameras

Links

Story # 1:Trump suggests US used cyberattacks to turn off lights in Venezuela during strikes
Story # 1b: There Were BGP Anomalies During The Venezuela Blackout
Story # 1c: Pizza index of war: Late-night traffic near Pentagon surges again as US strikes Venezuela
Story # 2: Finland seizes ship suspected of damaging subsea cable in Baltic Sea
Story # 3: US cybersecurity experts plead guilty to BlackCat ransomware attacks
Story # 4: MongoDB Vulnerability CVE-2025-14847 Under Active Exploitation Worldwide
Story # 5: Hackers claim to hack Resecurity, firm says it was a honeypot
Story # 6: NordVPN denies breach claims, says attackers have “dummy data”
Story # 7: Hackers say they have stolen 40 million Condé Nast Records - here’s how to stay safe
Story # 8: Hacker Dressed As Pink Power Ranger Dismantles Racist Websites Live on Stage
Story # 9: NYC mayoral inauguration bans Flipper Zero, Raspberry Pi devices
Story # 10: Manufacturer issues remote kill command to disable smart vacuum after engineer blocks it from collecting data — user revives it with custom hardware and Python scripts to run offline
Story # 11: Ben Jordan Exposes Severe Security Vulnerabilities in Flock Surveillance Cameras
Story # 11b: We Tracked Ourselves with Exposed Flock Cameras

Brought to you by:

Black Hills Information Security

https://www.blackhillsinfosec.com

Antisyphon Training

https://www.antisyphontraining.com/

Active Countermeasures

https://www.activecountermeasures.com

Wild West Hackin Fest

https://wildwesthackinfest.com

Creators and Guests

Host

Bronwen Aker

Bronwen Aker is a BHIS Technical Editor who joined full-time in 2022 after years of contract work, bringing decades of web development and technical training experience to her roles in editing pentest reports, enhancing QA/QC processes, and improving public websites, and who enjoys sci-fi/fantasy, Animal Crossing, and dogs outside of work.

Host

Corey Ham

Corey Ham has been with Black Hills Information Security (BHIS) since 2021 delivering red teaming and OSINT services. Currently, Corey leads the ANTISOC team at BHIS, providing subscription-based continuous red teaming to BHIS clients. Outside of his time at BHIS, you can find him out in the woods or up on a mountain somewhere.

Host

John Strand

John Strand has both consulted and taught hundreds of organizations in the areas of security, regulatory compliance, and penetration testing. He is a coveted speaker and much loved SANS teacher. John is a contributor to the industry-shaping Penetration Testing Execution Standard and 20 Critical Controls frameworks.

Host

Ralph May

Ralph is a U.S. Army veteran and former DoD contractor who supported the United States Special Operations Command (USSOCOM) with information security challenges and threat actor simulations. Over the past decade, he has provided offensive security services at Optiv Security and Black Hills Information Security (BHIS) across various industries. His expertise spans network, physical, and wireless penetration testing, social engineering, and advanced adversarial emulation through red and purple team assessments. Ralph has developed several tools, including Bitor (set to release in January 2025) and Warhorse, which enhance efficiency in penetration testing infrastructure and operations. He has spoken at numerous conferences, including DEF CON, Black Hat, Hack Miami, B-Sides Tampa, and Hack Space Con.

Host

Wade Wells

Wade Wells has been working in cybersecurity for a decade, focusing on detection engineering, threat intelligence, and defensive operations. Wade currently works as a Lead Detection Engineer at 1Password, where he helps build and mature scalable detection programs. Outside of his day-to-day work, Wade is deeply involved in the security community through teaching, mentoring, podcasting, and running local events

Guest

Kent Ickler

Kent Ickler has been a Security Consultant and Systems Administrator for Black Hills Information Security (BHIS) since 2017. He has a Bachelor’s degree in Information Technology Management and a Master’s in Business Management. Kent’s education and management background allow him to be realistic and practical when aiding customers with evaluating risk on their networks. Kent enjoys being a part of the BHIS team because he gets to make a difference in not only the customers’ cybersecurity but also in the Information Security industry as a whole by contributing to the available resources; he has developed frameworks and open-source tools along with building and administering CTFs. When he is away from work, Kent enjoys woodworking and medieval architecture.

Guest

MaryEllen

MaryEllen Kennel has held numerous roles in CyberSecurity, and is currently ranked top 1% in MetaCTF. MaryEllen has spoken at several conferences, including Magnet Forensics, KringleCon, and most recently, Wild West Hackin’ Fest in Deadwood, SD. MaryEllen grew up Mennonite, and treasures spending time with family.

Producer

Ryan Poirier

Ryan Poirier began his time at Black Hills Information Security (BHIS) as the Video Producer and Editor in August 2020. Ryan polishes and perfects every webcast, podcast, and workshop on the BHIS, ACM, and WWHF YouTube Channels. Prior to Ryan’s time at BHIS, he worked for one of the largest public schools in the United States, conducting their video production and live broadcasting. He joined the BHIS team because he felt like it would be a great group of people to work with, and he couldn’t pass up the perfect next step in his career. Outside of his time with BHIS, Ryan does freelance photography, attends Cars & Coffee events, and expands his knowledge of audio and videos.

What is Talkin' Bout [Infosec] News?

A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
Join us live on YouTube, Monday's at 4:30PM ET

John Strand: 00:01

Of the closet.

Wade Wells: 00:03

All of sudden, John's BGP goes goes wild.

Corey Ham: 00:07

Yeah. Yeah.

John Strand: 00:08

So I'm I'm gonna go with this relocation program, Ryan. Oh, I've been good.

Corey Ham: 00:14

Well, you joined a public podcast with your full name and your location, so you maybe shouldn't have done that.

John Strand: 00:20

My location is a closet, Corey.

Wade Wells: 00:23

Yeah. I know the sun is out.

John Strand: 00:25

I know we're know you're

Corey Ham: 00:25

the Northern Hemisphere based on the fact that it's day outside. I can't remember. Whatever the whatever half of the planet we're in.

John Strand: 00:33

I'm just wondering why does all this shit say Dick Cheney on it? I don't know. This hasn't been used in a long time. It's very dusty here. Very dusty.

Corey Ham: 00:43

Are you in Camp David, or what is the, like, secret

John Strand: 00:46

place they go in? Undisclosed location. Oh, okay. Which is a closet

Corey Ham: 00:51

Yeah. With a rug. An undisclosed closet. I don't

Ralph May: 00:55

know many closets that have windows. That's something right there.

John Strand: 00:58

Right there?

Corey Ham: 00:58

Yeah. That's an is that a is that a Samsung frame TV?

John Strand: 01:02

It's a pretty bougie closet, if I do say so myself. Mhmm. It's one of those bougie closets that has a window, but it doesn't open, so it cannot be counted as a bedroom. Oh. Oh, that's perfect.

John Strand: 01:15

Corey Ham: 01:15

It gets a little longer.

Ralph May: 01:16

I would count it as a liability if you're looking for, like, safety. Right?

John Strand: 01:20

Yeah. But safety is not my concern. Not not whenever I come onto the webcast.

Ralph May: 01:24

Safety third. Very odd.

John Strand: 01:28

I just I I I just I I try to come from the most random places I possibly can. Like, you know, a deck in the middle of Germany while it's raining, another closet in someplace else, Poland. Just gotta gotta, yeah, gotta keep everyone guessing.

Ralph May: 01:43

They so whoever's closet this is, they are organized. They have the exact same hangers, right, which is weird. Most people typically end up with, like, a lot of, you know

Corey Ham: 01:50

And look at the wood hangers. You don't have wood hangers. It could be Bossier. Get some cedar hangers,

Ralph May: 01:54

John. Cedar. Oh.

John Strand: 01:56

It could be.

Wade Wells: 01:58

My wife has all the same hangers. I get I get the spares.

Ralph May: 02:01

You get the spares. Like, the ones from the store.

Corey Ham: 02:04

The free ones from the dry cleaning company. You name it.

Wade Wells: 02:06

Like, when you buy it, I'm like, yeah. I got a hanger with this one. I don't have to go out and buy hangers?

Corey Ham: 02:10

You they try to take it away. You're like, no. Get that back. I need it. I buy the shirt.

Corey Ham: 02:13

Need that.

Ralph May: 02:15

How will I know it's large?

John Strand: 02:16

I wonder if this can even do backgrounds with this. Let's see if they can do different backgrounds.

Corey Ham: 02:21

Woah. No. That's

Wade Wells: 02:23

that's pretty good.

John Strand: 02:24

That one's kinda weird.

John Strand: 02:25

I don't know.

Ralph May: 02:27

I feel like the closet is a background.

Corey Ham: 02:29

We just assumed the closet is a fake background.

John Strand: 02:33

Could be. Could be. How do I do this? I think I choose my background. Is that an

Ralph May: 02:38

old printer in the closet?

Corey Ham: 02:41

No. That's a that's definitely some kind of a kitchen contraption. Oh, yeah. Apple Park. Oh, now you're at Apple HQ.

Ralph May: 02:47

Now yeah.

Corey Ham: 02:51

Oh. Didn't know we were the kind of company where the CEO could afford a floating spiral staircase.

John Strand: 02:58

One of those places. Corey, I bring you love. Somehow

Corey Ham: 03:05

this imagery goes with the closet imagery.

Ralph May: 03:08

Yeah. Right. It connects. I'm not sure how they just do. No.

John Strand: 03:14

I don't know how to make it. There we go. I I actually prefer the closet. I I think that we spend too much time trying to make our backgrounds look too too awesome in this industry sometime.

Ralph May: 03:25

That's a fun

John Strand: 03:26

pull quote. I prefer the closet.

Ralph May: 03:29

If you were to sit on the floor, you'd think I was

Wade Wells: 03:31

it's a mess. Like Yeah.

Corey Ham: 03:35

Alright. John, I hope you're ready to just drop some hot nation state goss.

Ralph May: 03:39

So nation state.

John Strand: 03:41

Which one are we which one are we talking about? Are these in the notable stories?

Corey Ham: 03:44

Are you gonna well, I mean, are you gonna unleash some new intel that we don't know about? Because there's only one I can think of.

John Strand: 03:51

No one's told me Jack. The one that

Ralph May: 03:55

You just gotta get sick.

John Strand: 03:56

Stuff and, the BGP stuff, during the Venezuelan attack. And then also, I don't know if well, we could talk about this more. Let's wait until we get to

Corey Ham: 04:05

the show. Yeah. Yeah. I was gonna say you're you're you're you're yeah. Exactly.

Corey Ham: 04:08

Get ready. Get ready So for

Ryan Poirier: 04:12

I'm frozen.

John Strand: 04:14

Uh-oh. Uh-oh. I'm stuck on the

Ryan Poirier: 04:16

screen share. It won't let me click off.

John Strand: 04:18

Okay. It's not me this time.

Corey Ham: 04:20

What you're gonna wanna do is take your computer, shut it down, and then don't turn it back on ever.

Ralph May: 04:26

Hard reboot with no reboot. Start over again. You'll need a new computer after this.

John Strand: 04:31

Okay. What you're

Corey Ham: 04:31

gonna wanna do is download your swap file from Google Drive because it got it got cleared locally.

Ralph May: 04:40

Luckily, I got the Mac with a 128 gigs of RAM, I'll never run out.

Corey Ham: 04:44

I do feel like when I look and I see a system is swapping, I'm like, oh, you're cheating on me. Yeah. Don't do that. Don't don't swap. It's twenty twenty five.

Corey Ham: 04:54

I I just no swapping.

Ralph May: 04:56

Yeah. But the worst part is when you actually look at what's using all your RAM, it's just Chrome. Yeah.

Corey Ham: 05:02

Every

Ralph May: 05:02

time. Yeah. Every time, you're just like, this is what I got the RAM for just so I can fill up more tabs? Thank you.

Wade Wells: 05:08

I got all this RAM so I could watch YouTube and play video games at the same time. And YouTube's the harder one to run. Like Yeah.

Corey Ham: 05:14

Yeah. Throwback to Linux ate my ram.com. Those who know, know.

Ralph May: 05:21

Well, we do have a crumb story, speaking of that.

Corey Ham: 05:24

We do. Because we all

John Strand: 05:24

have one.

Ralph May: 05:26

Yes, we do. So

Corey Ham: 05:29

before we start, I do have a fun little tidbit that my friend shared. One of my friends works for an apparel company, and he shared with me that the outfit that a certain individual got kidnapped in is Yep. Currently

Ralph May: 05:43

It is. I went and worked to buy the same outfit, and they were like, sold out.

John Strand: 05:47

It sold out everywhere. Come on. Love it. I love it so much that

Corey Ham: 05:51

The US preferred population

John Strand: 05:55

yeah. Sorry. My favorite quote was I didn't know doctor Disrespect was the president of Venezuela. I thought that was

Ralph May: 06:04

Here's here's my real question. Do you think they, like, had someone pick out this outfit in advance for this photo shoot? Like, doesn't affect what sick.

Corey Ham: 06:12

He looks awesome and comfortable. I'm kinda jealous. I mean, not on his current predicament,

Ryan Poirier: 06:17

but of his outfit. John,

Corey Ham: 06:20

do you have a sweatsuit? Like, what's gonna happen if you get kidnapped? Do you gotta get a sweatsuit?

John Strand: 06:24

I'll just have to look around in the closet, see what I have here.

Corey Ham: 06:27

I don't see a single sweatsuit hanging in this closet. He's got hats.

Wade Wells: 06:31

He's got multiple hats.

John Strand: 06:32

Oh. Oh, here we go. Here we go. This is a nice big parka.

Ralph May: 06:38

There you go.

John Strand: 06:39

With a hoodie.

Corey Ham: 06:40

That's not good. That's like a non that's like for that's for you doing the kidnapping.

John Strand: 06:44

Yeah. You get renditioned. I'm just gonna say this this jacket, I think it's Patagonia or something. If you have to get renditioned, get renditioned in this coat.

Corey Ham: 06:54

Is that the one where you fight the bear and then

John Strand: 06:56

It it is. And it feels like you're getting kidnapped wearing a sleeping bag, which if you're gonna get kidnapped, it's the way to go.

Corey Ham: 07:04

Right? I mean I know. That's what I'm saying.

John Strand: 07:06

That's why I need this wetsuit. Kidnapped then. That's my If you have What is your culture? Be rendition. Just gonna say,

Corey Ham: 07:12

if you're in the audience, send your recommendation for a good outfit to get kidnapped in.

Ralph May: 07:15

Kidnapped in? Yes.

Corey Ham: 07:17

Yeah. Like, that can be, like, the brandition.

Wade Wells: 07:18

That can

Corey Ham: 07:19

be the banter. Yeah. Send send send me links for what I should wear when I get kidnapped. God. I

John Strand: 07:24

don't know. Kidnapping is what kidnapping is what poor people do. When The

Corey Ham: 07:27

US does what you call extradition thing now?

Ralph May: 07:30

Extradition. Yeah. Render

John Strand: 07:32

it. Yeah. Send me

Corey Ham: 07:33

a good outfit for kidnapping, and then maybe as a bonus, send me a good outfit for extradition, because that's an international kidnapping. Right?

Ryan Poirier: 07:39

TSA might step in and say that you need to step up your style to be kidnapped, though.

John Strand: 07:43

Yeah. I know. I know. They're like

Corey Ham: 07:44

They're like, take off the jacket. You're like, I can't. It's too stylish.

Ralph May: 07:47

Love I'm telling you, for kidnapping, they brought a lot of people. That they were serious about that. So, I mean, that don't think of it as like a praise.

John Strand: 07:54

Right? You know you're in trouble whenever you're getting, like, like, kidnapped and the the Delta Force guys are like, this is a little bit this isn't quite skivvity toilet and needs a little bit more rose for a little bit better drip. And

Corey Ham: 08:08

No. But he had to drip. They actually didn't that that conversation never happened because he had the drip.

John Strand: 08:12

The skinny toilet one? It did. Yeah.

Ryan Poirier: 08:14

It did. We just had it.

John Strand: 08:15

And now you all

Corey Ham: 08:16

Someone posted a meme of him DJ ing this guy. Oh my goodness. What is that a neck pillow? Like, what is that? I don't know.

John Strand: 08:26

Anyway He

Corey Ham: 08:27

looks comfy.

John Strand: 08:28

He looks comfy. Yeah.

Corey Ham: 08:29

Alright. Let's let's roll the let's roll the

Ralph May: 08:33

Beautiful broken finger.

Corey Ham: 08:34

Roll the finger.

John Strand: 08:35

I am not seeing any comments. There. There it is. Oh, I just had to click it.

Ryan Poirier: 08:41

Uh-oh. Retream is very laggy. Hold on.

Wade Wells: 08:46

Chrome.

Ryan Poirier: 08:47

It's not doing anything.

Wade Wells: 08:51

Someone check our BGP. Sure.

Ryan Poirier: 08:54

Come on, buddy.

John Strand: 08:55

They found me.

Corey Ham: 08:58

Someone said wear underwear so you don't get shot. I don't think that's how that works.

John Strand: 09:03

I don't think that's yeah. That's that's crazy people talk.

Corey Ham: 09:22

It's 01/05/2026. New year, new show. We've got me, Corey Ham. We've got John Strand, currently in witness protection program. We have Wade Wells.

Corey Ham: 09:33

We have Bronwyn. We have Mary Ellen. We have Ralph, who's tagged himself as Florida Man. We have Kent Ichler, and we have Ryan, of course, making us sound good and look good. Although, he's really sucking at the second part of that, but whatever.

Corey Ham: 09:47

It's not me.

Ryan Poirier: 09:48

The I clicked the buttons, nothing's happening.

Ralph May: 09:50

I did the thing. Alright.

John Strand: 09:52

Did you

Corey Ham: 09:53

you click the buttons for make us look good? Because that's a pretty fancy button.

John Strand: 09:56

Did you just say if you wanna fight, fight me? But

Corey Ham: 10:01

yeah. Base

John Strand: 10:02

He's got a mad leg going on between his audio and his video. He looks like a kung fu. Oh, do too. Poorly dubbed. Yeah.

Corey Ham: 10:09

I don't I don't see it. I think it's you, John. Alright. Let's talk about Venezuela. I mean, that's really what's happening.

Corey Ham: 10:16

The big story is I mean, from a cyber perspective, the story is that The US took out power before invading. I don't know I I guess it's not clear whether it was a cyber operation. A lot of news agencies reported it that it was a cyber operation, but Trump just said, basically, that's one of our specialties. We can do this if we want, I suppose.

John Strand: 10:39

Okay. Anybody that's debating that, though, can you honestly see an operation like this going off and they didn't use cyber? Like, they're like, oh, we're bringing in the planes. Yes. The planes and the boats.

John Strand: 10:49

All the boats. What about cyber?

Corey Ham: 10:51

The planes. The planes. At home. Don't have any These

John Strand: 10:55

are the guys that keep telling me to turn it off and on again? No. No.

Corey Ham: 11:00

Okay. That's fair. That's a good point. That's a good point. No.

Corey Ham: 11:03

I I So they took out the power. I mean, that's kind of, like the assumption is that the the power was taken out by the cyber. There's also some posts about them taking out the Internet. Basically, Graham, a kind of friend of the audience or friend of the show, has posted a blog that identifies some BGP anomalies that were picked up during the operation.

John Strand: 11:25

Which I think totally makes sense. Right? I mean, the hard thing for me is I'm trying to figure out if they cut the power because they wanted to, like, cut the power because of the of the rendition operation, or if they cut the power because they knew that the explosions would just pop and kick that much more ass.

Wade Wells: 11:42

And Not the better camera. Then you definitely it's definitely

John Strand: 11:45

This whole entire thing has just been, like, a lot of photo ops. So many photo ops, you guys. But

Ralph May: 11:50

How many book deals do you think are in the works right now? Right? I mean, how? If was seal team six, it would be at least five book deals, but since it was Delta, maybe one. Right?

Ralph May: 11:59

And you

John Strand: 11:59

and you Six if it was if it was a seal, it would be like six book deals per person that was on that deal.

Corey Ham: 12:07

I think David Goggins is running to Venezuela as we speak.

John Strand: 12:10

Right now as we speak.

Corey Ham: 12:11

He's on his way.

John Strand: 12:13

I still wonder like like, knowing the Delta guys, like like, you'll be lucky if you get one book deal. More than there'll be, like, a couple of beers and then, you know, the, like, the guy the two guys that did it will have to run hills all day because they like that kind of thing. Tearing into this a little bit, though, I from the cyber perspective, I think the CIA was involved too. There were some articles. Of course, they were.

John Strand: 12:34

Right? I mean, everybody

Ralph May: 12:35

was there for, like, months on end. Where do you think the intel came from? Like, imaginary people? So

John Strand: 12:41

And it's like I I was laughing at this because someone was like, yeah. The CIA was tracking Maduro. I'm like, didn't they abduct him from his house? Like, I'm jumping out on a limb. Like, do we need the CIA to find a guy

Ryan Poirier: 12:56

at his house?

John Strand: 12:58

So, no, I I I would be I I would I I would love to see the level of cyber operations that went off in this particular thing because it looks like they went off very, very cleanly. You know, the CIA tracking them, I'm sure there's more to it than that. Whenever you do an operation like this, you wanna make sure that the target is there. You also wanna make sure that the amount of collateral damage is minimized as possible. And, usually, that's done with tracking of cell phone networks.

John Strand: 13:21

With the way cell phone networks exist naturally, there's going to be a certain amount of tracking which devices are in which geographic location. You could do that relatively easily. But actually getting down to the individuals that are there is where you have to get inside of some cell networks at some point. So if we're looking at this, you would need a couple of experts at least on cell technology, LTE, five g. You would need to have some standard network exploitation expertise gaining access to the back end of the cell phone network to make sure that you have the right targets in play.

John Strand: 13:54

Because once again, you don't wanna go into Maduro's house and he's labeling, like like, a Christmas, New Year's party for his granddaughter, and there's, like, 95 kids at the house. So they do a lot to make sure that they try to reduce the amount of collateral damage associated with it. And then the power stuff, like, yeah, I mean, you wanna make sure that those you wanna make sure that those lights are off auto ops, but also that you're doing an op at night, and you wanna make sure that that you're not gonna get stuff shot down. Somebody's pointing out a red shirt. It's not a red hat.

John Strand: 14:26

It's even cooler than that. This is a Wyoming game and fish hat. So not not not a red hat. It's something

Corey Ham: 14:34

Yeah. And just for context, John was speculating about all that stuff. There's not

John Strand: 14:37

any sources to confirm that. Yeah. No one's

Corey Ham: 14:40

no one's talked to me. I'm just No one's talking to and Yeah. Well,

Wade Wells: 14:45

basically speculates. Right? That that BGP article that Graham came up with, the IP addresses were associated with some of the leading communications networks within that country, which I thought was, of course, pretty crazy that like, we've seen this tactic before from the Russians. Right? For me, I was like, okay.

Wade Wells: 15:04

This is, like, general stuff. But I was also thinking, like, as a blue teamer, like, seeing BGP be rerouted, right, with ASNs and everything, I'm like, this seems like low like, it's it's high level stuff to be able to pull it off, but, like, I wanna see some cool stuff. I wanna see some, like, zero days. Right? Like, if Graham can figure it out on the Internet, was it that good of a hack?

Corey Ham: 15:23

I mean, dude, dude, I I would say okay.

John Strand: 15:25

I wanna point out if the BGP prefix attack was used, which I'll go through how that worked here in a sec. Makes me feel good because I feel old. And the fact that this is an attack that was that was released at Black Hat, I wanna say 2008. I think it was the same year that Dan Kaminsky talked about the DNS, that it's still relevant today. It's like, still have a purpose in life, which is good.

Corey Ham: 15:50

Yeah. What's old is new again.

Ralph May: 15:52

If it works, it works.

Corey Ham: 15:54

It doesn't have to be on zero day.

John Strand: 15:55

How BGP works. It's not a hack. Right? So for those of you that don't know, this gets a little bit crazy, but we call these forever days. The vulnerabilities that exist in the core infrastructure of how the Internet actually works, and they don't get fixed.

John Strand: 16:10

So the way BGP works is you broadcast via ASNs, like, what are the IP addresses that you are responsible for? And then all the routers around the world through freaking magic, trust me, it's magic, will actually send those packets to you, which is pretty flipping cool. But what do you get into a situation where there's contention for IP addresses? If you have overlap in IP address responsibility with BGP, the ASN that is more specific wins. So if you have one ASN that has five hundreds and you have another ASN that has, like, two, the one that has two is going to win.

John Strand: 16:47

And the thought process behind that was that whoever is responsible for the fewer IP addresses will probably be less likely to make a mistake. There's been if you wanna look at the Wikipedia article on this, there's a bunch of them where there's been mistakes. I think it was Pakistan. Pakistan wanted to black hole YouTube, and they broadcast out an ASN that was basically a black hole YouTube in Pakistan. But the problem was they broadcasted it to the entire world because it was more specific.

John Strand: 17:20

It took YouTube offline, and this was done a number of years ago. So that's how this attack works. You can reroute all the traffic that you want as long as you do a very specific route to do so. Now, Wade, I wanna ask you as a blue teamer, how the hell would you detect that without going to a third party service?

Wade Wells: 17:38

I don't even know. Like, I I was trying to think about this. My first thought is, like, you have a third party service looking for it. Right? The other way, I guess, is you could possibly be trying to advertise, like, individual, like, the smallest network possible, which Yep.

Wade Wells: 17:54

I know that that's less of detecting and more preventing, but you could also try to monitor if something is advertising in your IP space. I believe that would be possible, but I'm not I'm not that big of a networking guy, to tell you the truth. At least that's I

Corey Ham: 18:09

mean, there are there are fixes for this, the like, the RPKIs or whatever. Yeah. Like, you you don't just don't be vulnerable to this attack is the, like, long and short of it.

Ryan Poirier: 18:20

And there's a piece of infrastructure in here too, right, where it's like, I at home can't just be releasing out a bunch of BGP records out in the world. There's another component that this is like Internet providers working with with switching technology and routing technology, or is it like, I can do this at home and send out

Corey Ham: 18:36

an IP address?

John Strand: 18:37

You can't can't do this at home, but how many companies are ISPs that broadcast and have the ability to broadcast? I think it's over 12 or 13,000. I might be wrong. It might be, like, 26. I'm getting my numbers kinda screwed up, but it let's go with it's a lot.

John Strand: 18:53

And this gets into the security associated with it. It's like they all have to be on board. You can do things. I think Wade just kind of working it through, hit the best thing that you can do, is you can monitor any of the BGP routing changes that impact your specific IP address range and do that. But no one does that, like, you know, other than very, very large organizations that are buying highly specialized services to do it.

John Strand: 19:20

Not that it's hard to do as well, but it's very very easy script

Ralph May: 19:25

real quick.

Corey Ham: 19:25

Yeah. Most I I linked to site is bgpsafeyet.com, which is a site run by Cloudflare, and most of the major ISPs cover it, you know, like, in The US at least. What was Obviously, was the value here? Whatever.

Ralph May: 19:40

Did the Internet just go off for, like, kind of a little bit? Like, you know,

Corey Ham: 19:44

and Yeah. There's a lot of speculation. It definitely wasn't, like, significantly down for a long period of time. It was like a blip, if anything.

John Strand: 19:54

And and that's what I'm trying to figure out about this entire story is the why. Like, if you're if you're the CIA, if you're the NSA, if you're Air Force Cyber Command out of San Antonio, right, If you're doing this, more than likely, you're not going to be doing messy kind of BGP attack. You're usually gonna be using some type of exploit or existing infrastructure hack. Like, I'm willing to bet that they were already in the systems.

Corey Ham: 20:19

Well, they cut the power, dude. There's no Internet with no power.

Ralph May: 20:23

Yeah.

John Strand: 20:23

But you wouldn't need the GP to do that. So I'm trying to I've been trying to figure out I part of me, I kind of feel this is, a spurious thing that happened. Yeah. So I'm not a 100% certain on that, but I'm just trying to figure out what the hell they would have needed with BGP routes. I

Corey Ham: 20:41

mean Yeah.

Wade Wells: 20:43

The I agree. Graham Graham actually is in the chat and commented. The ASN and used it didn't do RPKI filtering.

Corey Ham: 20:52

Yeah. Yeah. Of course. Yeah. I know.

Corey Ham: 20:54

ISP or whatever. Yeah. I mean, we don't know. We're again, we're speculating. We do know they cut the power though, which if there's no power, there's probably no Internet.

Corey Ham: 21:02

So Yeah. It doesn't really matter. Yeah. But, yeah. Anyway, I guess any other hot takes on this before we move on?

Corey Ham: 21:09

The other funny one that I kind of we've called it out on the show before, but it is funny and true is the pizza, you know, pizza alerts or whatever of, like, people the the Twitter account that's tracking pizza places near the Pentagon being like, there's a pizza place near the Pentagon. It's 2AM, and

Ralph May: 21:25

it says it's very busy, and then, you know,

Corey Ham: 21:27

I want I wonder if anything will happen, And then next morning, it's like, we got them or, you know, whatever.

Ralph May: 21:32

I So

John Strand: 21:33

But one of the things about that is having talked to people on the inside of, like, the Pentagon and all those different places, they hate that. Like, they absolutely hate that people are online being like, oh my god. There's a lot of so they have a whole bunch of food inside of the Pentagon. So whatever happened overloaded the amount of the amount of food that could be handled to the inside of it because they seriously upscaled the amount of vendors and how much the vendors could handle. So this very thing wouldn't happen, but it still happened, which I think is quite interesting.

Corey Ham: 22:07

I mean, it I will say, if you look at the Twitter, it's like, I forget the exact name of the Twitter, but if you or x or whatever. I don't know what it's called.

Ralph May: 22:14

Don't do it. Twitter.

Corey Ham: 22:15

Don't just call Twitter. Anyway No. If you look at it forever If you look at the Pentagon Pizza Report Twitter, they have a lot of false positive hits. Like, they're they're they're saying according to them, The US is invading someone, like, once every month.

Ralph May: 22:30

Yeah. Time. It yeah. Them every time.

Corey Ham: 22:34

The data is not that reliable, and I will say, like, it's a great example of, like, it is funny. It's it's not that relevant. Like, there's so many better indicators if you're a real intelligence agency than looking at Google Maps and saying that it's very busy. About the prediction market? I can't see that.

John Strand: 22:50

What's that? No.

Ralph May: 22:51

There there was a prediction market bet. Right? Yes. And I think it was crypto. Okay.

Ralph May: 22:57

If I'm not mistaken. So anyways, it's just a prediction market where you could just predict on anything. Like, I think this is gonna happen, and I'm willing to bet this much money. Anyway, somebody put, like it was, like, $30 down and made a lot of money. They like, a day before they said that he was gonna get captured.

John Strand: 23:12

You just know that Pete Hecksef is just there, like, suckers.

Ralph May: 23:15

Yes. But

Corey Ham: 23:19

this is but this is let's let's

John Strand: 23:20

get into some tradecraft that I think is interesting. Right? Put put pizza aside. We knew something was gonna happen. Right?

John Strand: 23:27

If you're trying to predict something's up, how about having a bunch of ships in The Caribbean?

Corey Ham: 23:32

Yeah. Right. It was kind of obvious.

John Strand: 23:34

Yeah. But there was a lot of pundits going into this that were like, something's going to happen, but we don't have enough force down there to actually take and hold land. Like, we just didn't. Right? So it couldn't have been that type of operation.

John Strand: 23:47

And even a sustained air campaign, they didn't think that there was enough, there was enough in that area to be able to do a sustained air campaign. So there's a lot of speculation about taking out oil wells and oil refineries. And it was very interesting to me that other than that one person in the in the betting market, like, no one had, like, clandestine kidnap a president of Venezuela in the middle of the night on their bingo card.

Corey Ham: 24:13

And then charged him in a US court? Why not charge him York a US court? Be like yeah. In a in a New York US court, that is the same court that Trump was indicted in. But, anyway, yeah, it's I don't know.

Corey Ham: 24:25

It's a weird it's a weird vibe.

Ryan Poirier: 24:27

World's weird though. So if if you assume that this was not like a kinetic attack regarding the power, If we do self reflection on that and look at, okay, we probably have an adversary with parity, skill parity, maybe. Maybe we're a little bit more advanced. Maybe we're not. What does that mean for, like, our infrastructure here, and and what are we doing to prepare for the same type of thing happening here by Naviso?

Ryan Poirier: 24:51

Is that even is it Excellent question, Ken.

John Strand: 24:54

It's a good good. Next story. Yeah. Well

Wade Wells: 24:58

Yeah. I stopped my order.

Corey Ham: 25:01

Okay. So I I do think it's probably worth I mean, I don't know. Right? Like, I agree that there's probably an adversary with equal capability to The US out there. I what I don't know is how The US grid security compares to Venezuela grid security.

Corey Ham: 25:15

That, don't know. I would assume at the very least, The US grid is significantly bigger and more complicated and difficult to fully take down on that level. Okay. But that being said

John Strand: 25:27

Corey, there's another thing to take up on that. Right? The US IP ranges are constantly being attacked way more than a lot of the like, if you're looking at, like, vulnerable, like, you know, just vulnerable systems in Shodan, you start looking around in China, you look at Russia well, kind of Russia a few years ago. But if you look at a lot of other countries, there's a lot more tragically insecure SCADA ICS systems exposed to the Internet than The United States. So I think that you're right, especially whenever you're looking at legislative capture and how every single power grid in almost every single state is its own little fiefdom, and it has its own laws and everything and its own shins.

John Strand: 26:06

And that makes a lot of insecurities, but the fact that they're constantly being attacked is something I think that gives us a little bit a little bit of an edge, if anything.

Corey Ham: 26:16

Yeah. I mean, I I think for sure that The US power grid needs to be secured further. I think most people would agree with that even in the industry, like, even within The US power grid providers. But I definitely think that, you know, national power outage and I guess it was just the city. Right?

Corey Ham: 26:33

Like, there's a city. I will say, Washington DC probably has done a lot of grid exercises, I would assume, with their power grid. Not not I mean, I will say Trump, who knows where he is? Is he golfing in Florida? Is he, you know, is he just randomly visiting someone somewhere else?

Corey Ham: 26:51

Like, you know, he's a moving target for sure. But, like, if you're attacking The US capital city, I'm guessing the grid is a little bit more hardened. But honestly, who knows? Right? We'll see, I guess.

Corey Ham: 27:02

Hopefully, never. But, yeah, that's like a good I I would say, for sure, we're thinking about this as a model. And I know that we have a couple clients who are power grid providers, and they are very aware of this as a threat model. This is, like, their absolute worst case scenario is, like, grid outages, and they do, like, a lot of exercises. There are there's a lot there's a lot of, like, requirements, like, NERC SIP and things like that for what generation and transmission infrastructure have to do security wise.

Corey Ham: 27:31

But there's also, like, they do I think it's called GridX, I wanna call it. But they do, like, the national NERC, the National Energy Reliability Commission or whatever, they have, like, exercises every year where they do, like, a grid security thing. I'll post it in Discord.

Wade Wells: 27:48

In the Idaho Labs, they do it. They usually let a bunch of people that work in at least some type of power sector. I think I believe it's free for them. You just have to fly out there and go it.

John Strand: 27:57

Yeah. The other thing pretty cool interesting is critical communications infrastructure, like getting away from power. I don't know exactly how long cell towers and, like, cell stations stay up with their generators and their backups. But I do know, like, if you're looking all the way back in hurricane Katrina, there were people that were making cell phone calls, like, while everything was down in New Orleans, and that was just because of the robustness of the cell infrastructure. So there's a lot of industries that I think have been doing a really, really, really good job to try to secure this as much as possible.

John Strand: 28:30

But but one of the problems that we have is it isn't just an issue of, you know, on average, is The United States power infrastructure secure or not? That's not the question you should be asking. What you should be asking is how like, all it takes is one small part of that infrastructure to go down, and it can have massive repercussions across multiple different power grids. If you're looking at Texas, Texas is kind of isolated in its own right. They do their own thing.

John Strand: 28:58

But a lot of the power grid in The United States is actually very heavily interconnected. And you can have an outage in one small power station in like, let's say, this happened two months ago in mon or not Montana, in Wyoming, and it actually brought down our main office all the way in Sturgis, South Dakota, a bunch of infrastructure up in, Montana, and a little bit into North Dakota. And these were all separate power companies. But because one small impact hit one place, there wasn't enough power for the rest of the lines, and they were all sharing. So it's very, very archaic, and it's one of those things that, yes, there's been a tremendous amount of work that's gone into it.

John Strand: 29:36

But, seriously, one small outage in one small part of the country can actually have catastrophic effects for an extended period of time.

Bronwen Aker: 29:44

Well, that cascade effect too, John, that cascade effect isn't new either because in 1994 when the Northridge, excuse me, Northridge earthquake hit, our little earthquake, took out the entire West Coast as far as power was concerned. And I'm hoping that the grid stability has improved since then, but, again, that cascade effect in terms of the dominoes toppling is nothing new. And I hate to say it, but any type of adversarial planning would probably want to incorporate that into what their attack plans would be.

John Strand: 30:29

And kind of answering your question about how things have improved, if you, you know, you've heard me use this phrase legislative capture. And, basically, what that boils down to is how power companies make money. You would think power companies make money by producing power and selling it. Kind of not true. If you're looking at the way a lot of public utility commissions run or basically kind of govern power companies, because in many parts of the country, a power company is a monopoly for literally everyone that's under it.

John Strand: 30:59

There are very strict regulations on the certain types of activities that they can do and what their profit margins can be based on those activities. So in certain parts of the country, you get really heavy incentives for smart grid and smart home technology to do regulation of power, and that's because those public utility commissions in those states have incentivized those power companies to be able to make money off of doing that. Then you have other states where they don't have an incentive. They can't make money off of those types of activities, but they can make money on long line power transmission line creation. And they'll literally build power lines that go nowhere because they can take the cost of that plus a percentage, which is what their profit is.

John Strand: 31:44

So if you wanna read into this, it's absolutely horrifying whenever you're looking at how the power grid is set up in The United States. And security often is not one of those things that power companies are allowed to, quote, unquote, make good percentages of money or profit on. And because of that, they put as minimum amount of money into trying to secure their power grid technologies because there's literally no profit incentives for them to do so. So look it up. It's called legislative capture and power companies.

John Strand: 32:12

Whole bunch of articles, poly sized stuff on it for years, but it applies here because we don't have a unified national strategy for securing power in The United States because it's ran many times at the state level or multistate level. And it's it's it's an absolute train wreck.

Corey Ham: 32:30

Alright. Let's let's move on. Let's talk about how else you might be able to take down the Internet, which is dragging an anchor on the seafloor.

Ralph May: 32:36

Oh, that always works.

Corey Ham: 32:38

Go Finland. So, yeah, this is an article. Basically, Finland seized a ship, which is suspected of damaging subsea cables, in the Baltic Sea. I don't think I don't necessarily think we've attributed this to a specific nation state, but I think it's pretty obvious, who it might be.

Bronwen Aker: 32:59

Teenagers implied.

Corey Ham: 33:01

Russia. But the assumption is that it's part of Russia's shadow fleet, which is just, you know, kind of like Sounds

John Strand: 33:08

pretty badass, actually.

Corey Ham: 33:09

Sanctioned it does sound pretty badass. But it's sadly, all they're doing is just not knowing how to use an anchor and just dragging it on the ocean floor to try to take out cables. But, yeah, NATO has increased patrols of the Baltic Sea. I guess I'm like, what would this actually take out? I'm assuming this would be, like, pretty bad.

Corey Ham: 33:26

I know there is I know there's some I know there's some, like, redundancy in undersea cables, but not, like, to maybe to certain locations like Finland. I is there only one? I don't know. Let's look at a map. There is that one map.

John Strand: 33:40

Yeah. I don't know. I I just know that there's not nearly as much redundancy as you'd like or think there is. So I don't know. If you

Corey Ham: 33:49

can line up with something I'm looking at this is actually really interesting. There are a lot of ones that connect Finland. The one that was specifically under attack in this case was called Elisa, which let's see if I can find it on this map. Here's the I'll I'll link the map in the Discord. It's just submarinecablemap.com.

Wade Wells: 34:08

It's a really cool map.

Corey Ham: 34:10

It's a really cool map. And, yeah, I don't know if if the I mean, looking at Finland on the map, there's a crapload of cables going to Finland. So I guess they probably wouldn't be totally screwed, but, obviously, it would potentially cost millions or billions of dollars to fix and take a long time. But, yeah, that's an interesting I guess, I don't know. I also don't know, like, is this a legitimate way to take cables down, or is this or take Internet down, or are they is this just Russia being stupid?

Corey Ham: 34:39

Like, is this I'm little bit a legitimate tactic?

Wade Wells: 34:42

Yeah. Can claim they can

MaryEllen: 34:43

their claim alibi. Right?

Wade Wells: 34:44

Yeah. Yeah. They can claim it's just a mistake. Right?

John Strand: 34:46

Yeah. Stupidity when It's my first day on the job.

MaryEllen: 34:50

Yeah. Literally. That's basically was one of their alibis

Wade Wells: 34:53

What's your title? Oh, I was like, in Georgia. Shadow fleet.

Corey Ham: 34:57

Ghost shadow fleet. Ghost

Wade Wells: 34:59

captain. Shadow Yeah.

Corey Ham: 35:00

Captain of the shadow fleet. I mean

Bronwen Aker: 35:03

We had an intern at the helm.

Corey Ham: 35:06

It was AI. It was AI. It was autopilot. Oh, man. What else we got?

Corey Ham: 35:13

Anyone else have anything on their high on their radar? As an update article, we have the two individuals that were in The US that were doing black cat ransomware attacks. They have pled both of them pled guilty. So they took the plea deal. They were charged in November.

Corey Ham: 35:27

Now they've pleaded guilty to conspiracy to obstruct commerce by extortion, which is a fun charge. I hope they had really nice outfits for their, trials, preferably sweatsuits and headphones. But, yeah, they're facing up to twenty years in prison, so we'll see how that goes. I'm assuming the plea deal pleading guilty will probably, you know, lower that a little bit, And, yeah, I guess, we'll see. But

Wade Wells: 35:50

Mongo bleed came out after we did the last one. Right? Like, that came out over

John Strand: 35:54

I think it years? Yeah. If we want to talk about it.

Wade Wells: 35:59

Know that I had to triage this anyway.

John Strand: 36:03

Pretty

Wade Wells: 36:03

much just a vulnerability in MongoDB, which allowed if the database was remote connectable. Right? I believe it allowed a remote access to it or at least to be able to read memory from what I recall. It got a pretty decent high score, an 8.7 on the CVSS. What I found funny with it is that Rainbow Six Siege got hit by it, if you guys saw that, or at least that was the rumor that they got hit, and pretty much they were going someone was going around and giving free creds to everybody, like, of dollars worth of in game credits.

Wade Wells: 36:37

Funny.

Corey Ham: 36:38

That's fun. I mean, video game security, especially for older games, like, hasn't Rainbow Six been out for, like, forever?

John Strand: 36:45

Yeah. Yeah. Since '97, '98?

Wade Wells: 36:48

No. No. This new one hasn't been out that long, but

Corey Ham: 36:50

It's still an old game, though.

John Strand: 36:52

Yeah. Yeah. Yeah.

Corey Ham: 36:53

So it was yeah. I mean

Wade Wells: 36:55

It would whoever because I think the main thing is someone wrote an exploit for it, like, fairly quickly. And whoever did that over a holiday break, like Screw you. Screw you.

John Strand: 37:06

I'm also gonna say on the flip side, your Mongo database should not be directly exposed.

Corey Ham: 37:11

Yeah. That's a good point.

Ryan Poirier: 37:12

No. Shouldn't.

Ralph May: 37:14

This is this goes to

Bronwen Aker: 37:16

database should be directly exposed.

Corey Ham: 37:18

Okay. Yes. That's even better. Yes. True.

John Strand: 37:20

This is this goes out to the 110,661 people at least. And have their Mongo database instances directly exposed to the Internet. Stop. Just stop.

Corey Ham: 37:30

John, that's just one company. That's just one company.

John Strand: 37:33

One company. Yeah.

Corey Ham: 37:34

Yeah. It's just one guy. He really likes MongoDB.

John Strand: 37:37

It looks also like the versions of the Mongo like, because you I don't have the full enterprise license for Shodan, But it looks like I would say 40%, maybe a little less, maybe 30% are end of life. Like, they're not receiving any patches at all. I don't know how many of they compromised.

Ralph May: 37:56

I remember the last time I was playing with a MongoDB database too. There's a bunch of services that you can essentially get, like, MongoDB, right, like, from the cloud. Like, you can just, like, get it as a a SaaS. Right?

Corey Ham: 38:05

Yeah. Yeah.

Ralph May: 38:06

That's also probably where a lot of this may be as well. Right? It's from, like, other services that have them out. So you could just, like, you know, essentially have your app here, and then you pay extra for, you know, database somewhere else. Right?

Ralph May: 38:18

So yeah.

Corey Ham: 38:20

Yep. I would imagine there's a lot of, like, first tier hosting companies like AWS or Azure, and there's a lot like, a huge amount of, like, lower tiers of, like, Minecraft or other video game hosting providers that probably don't have the same security procedures and things.

John Strand: 38:35

They probably don't listen to this podcast either.

Corey Ham: 38:38

No. They're listening to you right now, John, and they feel ashamed. They're sorry.

John Strand: 38:41

They should know. I didn't know. They feel ashamed. Somebody that I should have listened to about this.

Ryan Poirier: 38:48

Because they they might be in school right now too. They might have class. So Yeah.

John Strand: 38:52

They might have class. Don't know. Some of this stuff looks like they just stood it up and, like, they were playing with Mongo and then forgot about it.

Ralph May: 38:58

Yeah. Yes. First time.

Corey Ham: 39:01

Jonah, is that a confession?

John Strand: 39:02

Is that a confession? A little bit. It's a little bit. I'm coming clean.

Corey Ham: 39:06

So that just say it was a honeypot. You're good.

Ralph May: 39:08

Yeah.

Wade Wells: 39:09

Yeah. It's a good transition. Is one of the reasons why I've had organizations that will not let me run honeypots, is this exact scenario.

Corey Ham: 39:18

Of they look bad on the Internet?

Wade Wells: 39:20

That they look bad on the Internet, and someone may claim you got hacked. So, if you guys didn't see, there was that article, I believe who is the company, Corey? Like, Re Security or something like that?

Corey Ham: 39:33

I don't know. I didn't even realize this is a different article. Oh,

Wade Wells: 39:36

wow. Okay.

Ralph May: 39:37

Yeah. So hackers say they hacked into a research company. Mhmm. Oh, full access to re security systems. They wrote in the telegram chat.

Ralph May: 39:46

Corey Ham: 39:47

Oops. We would like to announce that we have gained full access. We took everything, all internal chats.

Ralph May: 39:53

But it was all a honeypot.

Corey Ham: 39:55

I don't know. That was, like, a pretty big honeypot. Yeah. They have a MatterMost server as a honeypot?

John Strand: 40:01

Would have put a lot of time into creating that honeypot.

Corey Ham: 40:04

Yeah. That like, internal chats, names,

Ralph May: 40:07

and Is this the new, like, shaggy defense for hacking? Wasn't me? It was honeypot.

Corey Ham: 40:17

Yeah. I don't know, but I do like it as a general defense. A it's a good, like, just claim honeypot. It's like one of the amendments of the

Ralph May: 40:24

This was our most elaborate honeypot. We actually replicated our entire production in

Corey Ham: 40:31

We our honeypot we would consider our entire active directory

Ralph May: 40:36

we wanted it to be real.

Corey Ham: 40:37

Yes. All the real messages, all the credentials are real. We didn't want a fake honeypot. We wanted attackers to believe it was real.

Ralph May: 40:43

Yes. You have to believe it, and that's why we used all real creds.

John Strand: 40:47

If they were doing this, look what they got. Internal chats and logs, full employee data, names, emails, tokens, threat intel related reports and scraping of management files, complete client list with details, all their plans from chats. And, like, if they put that much work into their honeypot, what the hell are they doing? Like Yeah. It's like Well, they are research companies.

John Strand: 41:10

We stuff our honeypot with goodies, and it was the holidays. So it was goodies for the hackers. You know?

Corey Ham: 41:16

What did

John Strand: 41:16

you the idea of

Wade Wells: 41:18

go ahead.

Ryan Poirier: 41:19

Go ahead, Wade. Okay. I do like the idea of, like, an AI like, a bunch of AI agents that are just, like, a business that is, like, fully functioning, but it's just a honey business.

Corey Ham: 41:30

Yeah.

Ryan Poirier: 41:30

Yeah. So, yeah, you hack it, and you see all the stuff going on. It looks legit, but it's all just, you know, trees burning and

Wade Wells: 41:35

AI generated. They asked for something. AI was like, yeah. I can build that. Here you go.

Wade Wells: 41:38

Here's some logs for that

Corey Ham: 41:39

chat. Yeah. Yes.

Ryan Poirier: 41:40

How many employees in the street can somebody

John Strand: 41:42

for AI and security, Kent. Right there.

Corey Ham: 41:45

Yeah. That is the some person just stole that startup and made a 100,000,000

Ralph May: 41:49

basic money. Imagine that AI bill to just keep the company running. Like, Jesus.

Wade Wells: 41:54

Well, it's only when they get in. Right?

Corey Ham: 41:55

That's true, Ralph. That's true. Is that no. No. It it has to be all the time.

Corey Ham: 41:59

No. It has to be all

Ralph May: 42:00

the time. Yeah. You you don't have any real messages. Right?

Corey Ham: 42:03

Yeah. The credentials have to be real.

Wade Wells: 42:06

I didn't realize this, but there was a whole another article that also goes on this NordVPN's breach. They also claim it was dummy data, which Oh. I didn't even see that one.

Ralph May: 42:17

It wasn't just dummy data with the CEO's social? Yeah.

Wade Wells: 42:21

They they denied allegations that's an internal Salesforce development server was breached saying that the cyber criminals obtained dummy data from a trial account on third party automated testing platforms.

Corey Ham: 42:31

Well, there yeah.

Wade Wells: 42:32

We'll see. Oh. Those Salesforce apps are being popped left and right. It was probably

Corey Ham: 42:36

I will say, did you see that Wired had a, also got posted?

Wade Wells: 42:40

I got that notification.

Corey Ham: 42:43

Yeah. What Why did it actually got breached?

Ralph May: 42:46

No. They didn't just claim it was No.

Corey Ham: 42:48

It was real. I don't know if it's in the Arctic or if it's in

Wade Wells: 42:51

It is. It's Conde Nast because they own Yeah.

Corey Ham: 42:53

I just posted it. It's on Bleeping Computer, basically. It's leaked. I have a copy. It's it's real.

Corey Ham: 42:59

It's I don't know. It's definitely real.

Wade Wells: 43:01

Go check my password for me real quick. Make sure

Ralph May: 43:03

it's Yeah.

Corey Ham: 43:04

There's no there's no creds. The the Okay. There's no creds in here.

Ralph May: 43:08

Was it then? Just like your browsing history, like?

Corey Ham: 43:11

First name, last name, physical address, birthday, phone number. Oh. If you subscribed to the print magazine, your your address is in there, etcetera.

Ralph May: 43:23

Who subscribed to print anything?

Wade Wells: 43:25

They gave you free stickers if you signed up. That was that was the thing.

Corey Ham: 43:28

Wade's like Wade's like, don't judge me. It was free stickers. He

Ralph May: 43:33

gave away all of his data for free stickers. I love it. I'm gonna find you in here, Ralph.

John Strand: 43:38

Well, it doesn't really shine any

Bronwen Aker: 43:40

worse for less. Oh

Ralph May: 43:44

my god.

John Strand: 43:45

That's Oh, that's a bad one. Site pack.

Wade Wells: 43:48

Oh, that one was that was pretty. I didn't dive deep into it. I just saw the YouTube video of her deleting everything.

John Strand: 43:55

Yeah. Tinder for Nazis, 100 gigabit data leak, and then just nuked the entire site. Just I didn't know that there was Tinder for Nazis. I who knew?

Corey Ham: 44:04

How is that on the App Store, or is it not?

John Strand: 44:07

You don't know. That's on the App Store. But yeah. What

Corey Ham: 44:12

is the Oh my god. Yeah. What was the article for this? Can you

John Strand: 44:16

I just shared it in the chat. Just write Okay.

Ralph May: 44:19

It's a private So to sum it up, what? A bad website. Insert. You can say whatever.

John Strand: 44:24

If they literally hacked the website, I think, live on YouTube. Right?

Ralph May: 44:28

Oh, that's oh, no. I saw it was a was it a conference, I think?

Wade Wells: 44:31

Was it a conference? It was at a conference, and then she's she just ran it. I believe the the actor is on stage wearing, like, a mask. I believe she goes by Martha or something.

Corey Ham: 44:40

Martha Root? Martha Root. Oh my god. Classic.

Wade Wells: 44:45

As the video goes, it's like she's running Python scripts, and it's like, deleted everything. Deleted everything. Deleted everything. And it's like, nope. Everything's down.

Wade Wells: 44:53

And one dude owned a couple of the websites, I believe, and he just pivoted from there.

John Strand: 44:59

Now Root had been, working on this for quite a while. Like, it wasn't I think they just did the final the final blow live, but it looks like they've been working for a while.

Bronwen Aker: 45:11

Wait. What conference was this?

Corey Ham: 45:13

No Nazis, please. No Nazis, please.

John Strand: 45:17

Chaos Computer Club.

Bronwen Aker: 45:19

Yeah. Oh, chaos?

Wade Wells: 45:21

The chaos computer club, is that it's the one in Germany. Germany?

John Strand: 45:24

It is. But I don't know. I might I might have that wrong. Okay.

Wade Wells: 45:27

The only reason I No.

John Strand: 45:29

Was afraid of the website, okstupidlo.lol is what the profiles are hosting.

Corey Ham: 45:35

Okay. Yeah. Okstupid is potentially one of the best domains I've read in a long time.

John Strand: 45:41

It's really just and then the l o I didn't know that lol was a top level domain.

Corey Ham: 45:45

Have we just discovered the world's first victimless crime on the news show?

John Strand: 45:49

Nate? There

Bronwen Aker: 45:50

are so many top level domains I've never heard of anymore.

Corey Ham: 45:54

Oh, yeah.

Bronwen Aker: 45:55

.Lol? Really?

Ralph May: 45:56

Yeah. There's so many. Yeah. Whenever you're building, like, phishing domains, there's, like, 9,000 top level domains now. It's free shipping.

Bronwen Aker: 46:02

Jeez, Louise.

Corey Ham: 46:04

Yeah. And to anyone who had an account on this site, we know it was not a honeypot. Yeah. Don't try to use that defense. It was not a computer club,

Bronwen Aker: 46:17

by the It did just It was. Yeah. So I put the link

Corey Ham: 46:20

Bronwen Aker: 46:20

Corey Ham: 46:20

didn't ask Germany? Thought that was in, like, somewhere else in Europe.

Wade Wells: 46:24

She's also dressed up as a pink ranger.

John Strand: 46:26

I think that started originally in Germany because they

Corey Ham: 46:28

never in Germany, though. Yeah.

John Strand: 46:30

Yeah. They actually talked about that.

Corey Ham: 46:32

So in This is about as sweet as stunt hacking can get. Literally live hacking and deleting a Nazi website, that's pretty good.

John Strand: 46:42

In an outfit, like, in in, like, whole I don't know if it was a furry outfit or what

Wade Wells: 46:47

It's power ranger. She's the pink ranger.

Corey Ham: 46:49

Oh, ranger. Yeah. Hell, yeah. A power ranger outfit.

John Strand: 46:54

And substance. I I just you know, really well done.

Corey Ham: 46:58

I know what I'm watching after this podcast.

Wade Wells: 47:01

Very end. Full it's a good helmet too. That's the thing. Like, it it's quality Power Ranger.

Corey Ham: 47:06

Yeah. Yeah.

Bronwen Aker: 47:08

Serious cosplay and hacking skills. Gotta love it.

Corey Ham: 47:13

So okay. This is kind of I guess maybe we should talk about it. I don't know. But the Merrill inauguration event banned flippers and Raspberry Pis.

John Strand: 47:23

Yeah. Flipper Zeroes and Raspberry Pis. We're watching

Ralph May: 47:25

Well, yeah. Those are very dangerous.

John Strand: 47:27

I don't know. I'm getting to the point where I'm a little bit I I honestly all joking aside, I am now probably going to be checking my Flipper Zero. I don't think I'm gonna be putting it on my carry on luggage. And part of the reason for that is we had that one story. Was it security researcher from Australia that was hacking all kinds of stuff on an airplane?

John Strand: 47:47

You know?

Corey Ham: 47:48

They weren't using a full

Ralph May: 47:48

for zero, though. They were No.

John Strand: 47:50

They weren't. They weren't. Yeah. Yeah. But So

Corey Ham: 47:52

of my points are you're gonna do the

John Strand: 47:53

They're actually training flight attendants Yeah. On how to identify that. So if somebody has lots of antennas and they they are actually showing them some of the airlines are sharing, like, this is what a flipper zero looks like as well. So it's just another piece of hardware that they're kind of starting to keep their eyes open for because they did catch that attacker. Right?

John Strand: 48:14

Because I'm guessing he had antennas all over his computer whenever he was doing it. But, yeah, I just don't think I'm gonna fly with the flipper zero anymore. I just I just don't think it's If you're

Corey Ham: 48:25

if you're wondering, here's the other things you shouldn't fly with. Large bags, backpacks, weapons, fireworks, explosives, drones, remote controlled air device, strollers, coolers

John Strand: 48:35

I can't travel with anything.

Corey Ham: 48:37

Chairs, blankets, bicycles, or scooters. I'm out. I'm not going anywhere. No scooters. Beverages.

Corey Ham: 48:44

I'm also I mean, alcoholic beverages, illegal substances. Come on. I wanna

John Strand: 48:47

Corey Ham: 48:47

mushrooms. Pets other than service animals, laser pens, bats, or batons. Laser? I mean, basically, anything is banned from this, which honestly, okay, I I Like, totally get oh. Like, who's, like, the marching band guy that has the little baton?

Corey Ham: 49:06

He's like, oh, man.

John Strand: 49:07

Matrix. What is it? Brain fart. What is the person that's

Corey Ham: 49:11

in front of a I don't but you know what

Bronwen Aker: 49:12

I'm talking

Corey Ham: 49:14

Major domo? Oh my god. That's not what it is, but that's amazing.

Ryan Poirier: 49:17

I could see an issue here too where, like, yeah, no alcohol allowed, but then you can go to the duty free zone. So how long for the duty free zone is selling flipper zeros?

John Strand: 49:27

Hopefully soon. Wouldn't you have me put it in a little bag whenever I board the airplane? It's like, no. No. It's like, yeah, because it's,

Ralph May: 49:35

you know, dangerous. Do not

Corey Ham: 49:36

consume any flipper zeros you bought in the terminal.

John Strand: 49:41

I I also I don't know. I I

Ralph May: 49:44

No. The worst part for me about the flipper zero is it's like it's it's like a Swiss army knife. Okay? And I mean that in all the senses. If you ever needed a real knife to do a certain task, you would get that real knife, whatever it is, machete.

Ralph May: 49:56

You don't go around trying to cut down trees with your little, you know, Swiss army knife.

John Strand: 50:00

Could, Ralph.

Ralph May: 50:01

But you could try. Yes. Exactly. So it's kind of a master of none and, you know, many little

John Strand: 50:07

It's the echo of computer security. It'll do anything. Just really well.

Corey Ham: 50:12

Just not really well. Yeah.

Bronwen Aker: 50:13

But here's here's the thing. Mondami knew about Raspberry Pis and Flipper Zeros. How many other politicians actually know what these things are?

Corey Ham: 50:27

How

Bronwen Aker: 50:27

many have a clue?

Wade Wells: 50:28

He didn't he's not the one who said no.

John Strand: 50:31

You mean his staff? Like,

Wade Wells: 50:32

his staff. They're like, gather some words. Just throw that. That's the same stuff they banned at the Trump rally. Might as well ban those here too.

Wade Wells: 50:38

You know?

Corey Ham: 50:38

I honestly wonder I honestly wonder rally. So It is I I think it is interesting that they specifically list, like, the other stuff. It it I think it's whoever made the list definitely was like, this is gonna go wide because they did specifically say Flip or Zero Raspberry Pi. I don't know. I mean, honestly, there the ways of disguising this stuff, it's so easy to disguise.

Corey Ham: 51:01

Right?

Ryan Poirier: 51:01

But lot more democratized, though. Like, you can just go buy them. You don't have to have, like, a huge there's no huge barrier of entry to be able to use a finger zero.

John Strand: 51:10

So it's been way more democratized than r apps or Edisports. Those are from Yeah.

Corey Ham: 51:15

Well, those are allowed. Anything from Adafruit that, like, you know, Arduinos are allowed if you have, like, your clanker build that you're bringing with you to the inauguration or whatever.

John Strand: 51:24

But I I think what it's gonna get down to is anything that's not a notebook computer or a phone or, like, an iPad.

Corey Ham: 51:30

Those should be banned, dude. Don't freaking have

John Strand: 51:32

your laptop out. Don't be working at the inauguration. Everything's gonna become a flipper zero that they don't understand. Right? And maybe they should have that level of paranoia.

John Strand: 51:41

I don't know.

Corey Ham: 51:42

Some person who's totally unconnected is like, I'll have to switch to a blueberry pie this time.

Ralph May: 51:50

I mean mouth brief here.

Ryan Poirier: 51:52

Oh, just not have cell phones.

John Strand: 51:54

Like, are

Ryan Poirier: 51:54

they gonna they gonna ban cell phones too then? Like, what does that look like?

Corey Ham: 51:57

They start doing, like, with meetings too. Med hack?

Wade Wells: 51:59

They, they give you the little bag to put your cell phone in, and you can't leave. Right? Like, it would work it'd work pretty well.

Corey Ham: 52:06

Yeah. Just I need one of those from my house.

John Strand: 52:08

We're we're a society of when someone shits themselves, everyone has to wear diapers. It's just getting ridiculous. It just keeps getting ratcheted up more and more all the time.

Corey Ham: 52:18

Is there anything else to talk about? I I would we should talk about the guy who tried to block the telemetry for his robot vacuum, and then it bricked it. Let me see if could get that or not.

John Strand: 52:28

That's a good one.

Wade Wells: 52:29

Didn't even that in there.

John Strand: 52:31

I I mean, if we're talking about that,

Wade Wells: 52:32

we might as well talk about DJI too.

John Strand: 52:35

Privacy all the time. And I I every time I run into people, like, when I'm going to cons now, and they talk about the this podcast, and now they listen to it. I'm like, I'm sorry we talk so much about pricing. I'm like, no. No.

John Strand: 52:45

No. No. Keep doing it. So, yeah, here

Ralph May: 52:47

we another one too. We also after this one, Corey, we can talk about Flock. Have you guys heard

John Strand: 52:53

of Flock?

Wade Wells: 52:53

Yes. Did you see them?

Corey Ham: 52:54

Oh, yes. This is wild.

Ralph May: 52:56

There's so much That is

Wade Wells: 52:57

that is so

Ralph May: 52:58

much Let's queue

Corey Ham: 52:58

them up.

John Strand: 52:59

Corey, yours first.

Corey Ham: 53:00

Okay. I this is from November. I I just linked it. Basically, the user I'll I'll link the article in Discord. I linked it in the private chat.

Corey Ham: 53:08

But, basically, a user has kind of been fighting with this vacuum provider to keep his vacuum working. So, essentially, this is an iLife. That's the brand iLife. I've never heard of this brand personally. It sounds sketchy to me.

Corey Ham: 53:22

I probably wouldn't own their vacuum, but, it's an I iLife a 11 smart vacuum. They basically loaded up this thing on their home networking and monitored the traffic to it. Noticed that it was constantly sending logs and telemetry to the manufacturer. He blocked the telemetry IP addresses from egressing their network. Then they wanted to leave open the firmware and OTA servers, basically.

Corey Ham: 53:50

And then eventually, it he investigated it. It stopped working. He investigated it and figured out that a remote kill command had been issued. He he sent it to service it, and it worked there. It just didn't work at his house.

Corey Ham: 54:05

And basically, somehow he figured out some kind of a Python script type dealio that he could run to keep the vacuum working. So, yeah, that's basically it. It's just a fun write up of a hilarious, you know, like, battle between, you know, the user and their

John Strand: 54:27

This is making me uncomfortable because I have one of those really stupid expensive fridges that has a computer in it, and they've been talking about how Samson wants to start randomly playing advertisements in my kitchen, and I'm not down for that. I I, like, am actively blocking anything that that fridge does whenever it tries to go to Samson. And I'm worried like, I read this, and I'm worried about them bricking my fridge. And they're like, no. No.

John Strand: 54:53

No. You you have to have your advertisements for I can't believe it's not butter or this fridge is going to stop working.

Corey Ham: 54:58

Well, that's what's been happening with the frame TVs. I don't know if you've been following that at all, but people are becoming anti frame TV because they're kind of a nightmare from a

John Strand: 55:07

Yeah. You turn them on, and they immediately start playing ads. Just, like, blaring them, like, in the middle of the night. So Mhmm. Yeah.

Corey Ham: 55:14

Alright. What's your article, Ralph?

Ralph May: 55:16

Oh my god. Alright. So it's actually a YouTube video series, and I implore anyone who wants to see essentially shocking things. I'm I'm putting it in the in the private chat here. There's two YouTube videos here.

Ralph May: 55:30

What it is is it's about it's done by Ben Jordan, and it's about Flock security cameras. Does anyone know about Flock or have seen them? So Yes. Essentially what they are is that they are these security cameras that you can put up and they're like solar powered and they'll do license plate reading and stuff like that. Well, then decided to tear through one of these things to check out the security of these devices.

Ralph May: 55:54

And to say it was bad would be an understatement for how bad the security is on these devices. Right? Remotely accessing them, being able to physically just turn them into a reset them and then connect directly to them in person, being able to access them over the Internet, and it just gets worse and worse and worse. The rabbit hole is so deep with how bad these cameras are for security. And they're supposed to be used to help prevent crime and detect be Save the children.

Ralph May: 56:26

Save the children. Yes. Put into a database to track down, you know, when crime happens and all this other stuff. It is unbelievable how bad of like, if they've got a security audit once, I would be impressed that I would want to know who did it because it was so bad, all this stuff. Even worse is that Ben keeps finding more stuff with it.

Ralph May: 56:50

Right? It's like he did one video and then it just keeps developing even worse, the more the rabbit hole goes. Because at first, they had the license plate cameras, and then they came out with these PTZ cameras. He found a ton of them accessible online quickly and easily, and he could just literally go watch any of them, you know, all over the country.

Wade Wells: 57:08

Right? One of the things you didn't mention is I believe the researcher who did all this testing got fired, from his company for doing this on the side.

Corey Ham: 57:18

Wow. You know, John, can we hire this person?

Wade Wells: 57:21

So okay. Someone posted it on Reddit, and I tagged John

John Strand: 57:24

in part of this person's rib.

Corey Ham: 57:27

Thought of

Bronwen Aker: 57:28

this. Those they're not the only ones. Four zero four media. They tracked themselves on Fox cameras.

Ralph May: 57:33

Yes. So,

Bronwen Aker: 57:34

I mean, it's this stuff is wide open.

Ralph May: 57:38

Yeah. Yeah. It would it'd be like if one if if the device is to make things more secure first of all, you can argue whether that is a thing and Ben does in the videos, but it's worse. They have zero security on the device itself. Like, they did nothing to secure these devices, but yet they're used by federal agents.

Ralph May: 57:56

They're used in crime investigations where they can be tampered out the wazoo. They have no way.

John Strand: 58:01

This is Somebody was talking about I hate the surveillance state. I I think when we all thought about the surveillance state as kids growing up, we thought it would be competent. And that was a mistake. I am sure. Right?

John Strand: 58:16

But, you know, if you've been reading, like, could you imagine sitting down with, like, Huxley or, you know, Orwell? And it's like, no. No. No. No.

John Strand: 58:24

The brave the the surveillance state's gonna be much dumber than that. Like, how dumb? I'm talking default credentials dumb. Like, really stupid dumb. Like, if They're running the

Ralph May: 58:35

Android versions that are, like, seven gen or, like, seven versions behind. Just, like, never.

John Strand: 58:39

Have you looked have you looked at the the new satellite class slides that I've been working on?

Ryan Poirier: 58:45

Mhmm. No.

John Strand: 58:47

Like, you know, the research that IoActive did a number of years ago, if you look at some of the research that's been done now, like, seeing the same thing in satellites. Right? Like, it's just the whenever you move into the realm of IoT, like we were talking about, there needs to be better security for securing the power grid. IoT is just an absolute smoking pile of dog crap. Oh, yeah.

John Strand: 59:09

It's just bad all the way across, and no one cares. Right? Like, the people that sell this, like, look at what happened to iRobot, that poor company, by the way. Holy crap. Are they going backwards?

John Strand: 59:20

Free.

Corey Ham: 59:20

Talk about They got acquired.

Ralph May: 59:22

Got acquired by a Chinese company that did

Corey Ham: 59:25

everything. God.

John Strand: 59:26

No. No. No. But they're so much worse. Like, they got screwed over by the Biden administration, then they got screwed over by the Trump administration.

John Strand: 59:34

They've been closed. Go read the story if you can. But if you're looking at these companies, a lot of them now, they wanna pump out this technology as quickly and as cheaply as they can. They don't care about supporting the technology because they know the technology curve is they're gonna sell a whole bunch of them because they're cheap, and then no one's gonna buy them. There's gonna be something else.

John Strand: 59:54

They're just gonna move on to another product. And, there's gonna be no accountability for these for this technology because the companies are just gonna exist into the ether. I don't know. Yeah. 100 and Go see what happened to iRobot and how badly they were screwed over the past eight years.

John Strand: 01:00:08

It's ridiculous. They could have been saved.

Wade Wells: 01:00:11

Was the Flock was it also the Flock license plate reader that was if you put in a fake, like, QR code on your license plate in certain areas, the AI would actually not allow it to read it? It would get confused.

Ralph May: 01:00:24

Yeah. I'm I don't remember

Wade Wells: 01:00:26

same one?

Ralph May: 01:00:26

There was a confusion with the with the license plate reading. I I do know there was a bunch with the license plate reader specifically, ways to attack it. You know, many of them being just setting it into a mode where it turns out a Wi Fi hotspot, and you could just connect right to it and, access it. There was just a lot of vulnerabilities with that device.

Wade Wells: 01:00:45

There there was one you just put stickers in a certain part of your license plate, and they can no longer read it. And to that point, then Florida passed a law saying you're not allowed to put those stickers on your license plate.

John Strand: 01:00:58

That's a solution. That's solved it. Well done. Equate.

Ralph May: 01:01:02

Well, okay. So the I'll put one last thing with the Flock security. When they were brought up in news articles about the lack of security on these devices and what they were gonna do, they were just like, oh, this is essentially fake news by people who just want to hurt us and political, political, political bias.

John Strand: 01:01:22

Not what I heard, Ralph. I heard that their response was it was a bunch of honey pots that they had found.

Corey Ham: 01:01:29

That's a good yeah.

John Strand: 01:01:30

That that was

Ryan Poirier: 01:01:30

And a whole city of honey cameras. I I even thought, though, like, I'm thinking five, ten

John Strand: 01:01:35

years ago, we'd watch, like,

Ryan Poirier: 01:01:36

the TV shows and the, like, whatever, hacker movie, whatever. And it's like, oh, they'd they'd, like, drop into the the civil network and be able to, like, look at stoplight cameras and everything. Yeah. It's like we used to say, like, that that's not a thing. Like, you can't just do that.

Ryan Poirier: 01:01:49

Mhmm. But now you can. Like, that is, like if someone was saying, is that real? Yeah. Yeah.

Ryan Poirier: 01:01:55

It is real now.

Corey Ham: 01:01:55

Yeah. It's called flawed.

John Strand: 01:01:56

The guy heard flawed was right all this time. My god. Oh my god.

Ralph May: 01:02:00

Yeah.

Corey Ham: 01:02:00

Okay. My movie reference for the whole surveillance state thing is, I don't know if I love the movie Brazil. I don't know if anyone's seen it, but the entire plot of the movie is a typo leads to a man getting arrested. That's the surveillance state that we are in right now of like, oh, sorry. The flock camera said you did it, so we're here arresting you.

Corey Ham: 01:02:20

No one knows why or how.

John Strand: 01:02:21

Yes. Like, minority report be up, you know. Pissing your ass. No. Wait.

Wade Wells: 01:02:25

There was just so I watched those, like, like, cop YouTube where videos where they're arresting people, and every now and then when one comes in my stream. And there was a recent one from, Vegas where a dude got caught on camera. The AI said he was someone who was banned from the hotel. And when the guy pulled out his license to prove he wasn't that one, the security guards didn't believe him because they looked so much alike. They winded up arresting him, holding him there, and then taking him and charging him.

Wade Wells: 01:02:56

Then when they finally ran his license plate, they real or his license, they realized they're two different people, that he is the real guy. And at that point, they were they actually charged his real name with the crime of trespassing at the casino all because of

Corey Ham: 01:03:12

the AI. About rolling a natural one on the dollar day.

John Strand: 01:03:15

Wow. No. That dude that dude just rolled a 20. He's gonna be making so much bank.

Corey Ham: 01:03:20

The settlement? Settlement should be nice.

John Strand: 01:03:23

Cost to invest them.

Corey Ham: 01:03:24

I just wanted to give you all my money. Don't take all my money.

John Strand: 01:03:27

I yeah. I just can't like, how do people, like, in I've never been in a room where someone's made those, like, dumb decisions. You know? We got the wrong guy.

Ryan Poirier: 01:03:36

We verified it's the wrong guy.

John Strand: 01:03:38

You know how we deal with that? Let's charge this guy with trespassing. That seems like this is going to help that. What is it? Do you guys remember that story of the black guy, that got a a a oh god.

John Strand: 01:03:50

He had a lawsuit that he successfully won for discrimination against his workplace. Then he goes to the bank with the check to cash the check. And they refused to cash the check because they didn't believe him. And then he

Corey Ham: 01:04:06

said What is this? A settlement check from discrimination?

Ralph May: 01:04:10

Oh my god. Yeah.

John Strand: 01:04:11

We're not going to deposit that in your bank account, customer of ours. Like Aw. That guy like, yeah, he had a bad couple of days, admitted. But I'm willing to bet if you sat down and talked to him and be like, was it worth it? He'd probably be like, yeah.

John Strand: 01:04:24

It's a little worth it. Like, I don't know.

MaryEllen: 01:04:27

It kinda reminds me of those two was it two physical pen testers a few years ago?

Corey Ham: 01:04:32

Oh, yeah. Coal Fighter? Yeah. I'm talking Coal Fighter. Incident.

Corey Ham: 01:04:37

Yeah. Yeah. That was just bad scoping. That's why I scope.

John Strand: 01:04:41

It was

Ralph May: 01:04:42

a lot of things. It wasn't all on them, but No.

Corey Ham: 01:04:46

It was not.

Ralph May: 01:04:47

They didn't help.

Corey Ham: 01:04:48

It was partially on them. Yes. It's the equivalent of flying with, like, a bandolier full of flipper zeros.

Ralph May: 01:04:53

Yeah. Do

Corey Ham: 01:04:54

you need to be doing that? Like, it okay. Is it wrong? No. But should you be doing that?

Corey Ham: 01:05:00

Probably not.

John Strand: 01:05:01

Yeah. In my in my intro to pen testing class, when we have get to the physical section, I'm like, do me a solid like, if you're gonna do a physical pen test, don't show up with, like, your tactical five eleven backpack with the baby tactical tactical five eleven backpack on the back and a utility.

Ralph May: 01:05:17

Yes.

John Strand: 01:05:17

Wearing a shirt that says I read your mom's email and then. How come I'm not getting in? I don't understand. I've had all of these wires and antennas all over me. Don't look like a hacker.

Ralph May: 01:05:32

We teach all of that, John, in our our practical physical exploitation class. We we go through all of that. We have to, you know, just pretty much lay it down, talk about how you're supposed to do this, and, you know, why. Right?

John Strand: 01:05:44

Ralph says, like, hard to cover the shit in the Is it okay if I wear camo, Ralph?

Corey Ham: 01:05:49

No. No camo. No.

Ralph May: 01:05:50

We tell we'd like right off the top. Bring your tactical cool nowhere.

John Strand: 01:05:54

What what if I what about what if all of my shit's black and I dress like a like a ninja? No. What about my cargo pants? No. Nothing you would normally wear.

John Strand: 01:06:05

Don't wear that. Wear something else.

Ralph May: 01:06:08

So I'll I'll give you I'll give you a good example. We've had people in the class, students, who've had, like, maybe, like, a unique hat they like to wear or something like that. Right? And we'll be like, on an engagement, don't wear that. I like it.

Ralph May: 01:06:19

I think it's cool.

John Strand: 01:06:20

But it

Ralph May: 01:06:20

it stands out. Right? Like, makes you stand out. You wanna look like just a dude at work who doesn't even wanna be at work. Okay?

Ralph May: 01:06:27

And no one's gonna talk to you.

Corey Ham: 01:06:28

Yeah. Yeah.

John Strand: 01:06:29

Just a little stuff.

Corey Ham: 01:06:29

No. I think my favorite physical pen testing story so far this year was I was doing an engagement with Cameron, one of the testers here, and she had, like, one of those thick clipboards that can fit a reader inside of it, but we didn't none of the physical stuff, like, read badge cloning wasn't in scope. So I was like, at the end of the engagement, was like, what do you have in that clipboard? And she's like, a banana. She had a banana on the clipboard, like, you know, I didn't wanna cramp up during the physicals.

Corey Ham: 01:06:54

I had a banana on my clipboard just in case.

John Strand: 01:06:59

Oh, Everybody, let's wrap it up. Thank you so much. Hey. By the way, y'all, it's good to see you in 2026. And Yeah.

John Strand: 01:07:07

We made it. Let's be here. Let's let's shoot for not shitty this year. Let let's go for that. Above.

Corey Ham: 01:07:15

Jordan, plug your

John Strand: 01:07:16

sorry. Jordan and

Corey Ham: 01:07:17

Kent have a webcast. Jordan's not here. Kent, plug your webcast.

John Strand: 01:07:20

Philosopher at Steve's too.

Ryan Poirier: 01:07:23

Look at that, Kent.

John Strand: 01:07:24

Hey, Kent. Yeah. You're you're you're doing a webcast with Jordan.

Ryan Poirier: 01:07:29

I am. He's not here right now, but, I am. Everybody confuses me for him. QR code. There's a QR code.

Ryan Poirier: 01:07:34

You just scan it right now. You should. Now we're gonna talk about the

Corey Ham: 01:07:38

What do I learn how to use a flipper zero? Because that's the only thing I'm interested in at this

Ryan Poirier: 01:07:41

very moment. Actually talk about flipper zero, but we're talking about a bunch of different tools for defense hacking. So it's gonna be pretty awesome. It's in a couple days. Whoo.

John Strand: 01:07:49

I like how it's short and to the point. Velociraptor is c two. Oh my god. This is

Corey Ham: 01:07:55

different. Who is that?

John Strand: 01:07:56

It's a different webcast. Like, if you wanna use legitimate IR tools as an implant and just completely screw with the matrix, check that one out. That one's good. Boy, this is neat. Look at these QR codes.

Corey Ham: 01:08:07

To that one.

John Strand: 01:08:09

That that one's I don't want anyone to

Wade Wells: 01:08:10

go to that one. We're turning that one off

John Strand: 01:08:12

real quick. Let's see.

Corey Ham: 01:08:13

And Wade's like, that one's too soon. Wade, okay. Alright, Wade. Uh-huh. What What

John Strand: 01:08:18

IR tool do you recommend, Wade? I'm

Wade Wells: 01:08:22

not gonna tell you because I don't want you to do c

Ralph May: 01:08:24

two with it. Yeah.

Corey Ham: 01:08:26

You know what the okay. You you no matter what, Wade, here's why this isn't a problem because the best the better c two is the EDR. That's the best c two out there.

Wade Wells: 01:08:34

At at the end of the day, you just gotta change BGP routes. Right? So you're good.

John Strand: 01:08:37

Yeah. That's all you got.

Wade Wells: 01:08:38

That's all you have to do.

John Strand: 01:08:40

Corey, are you gonna put that into the continuous pentesting service? Like Well, why it BGP? IStock. Like, we'll attack your BGP networks.

Corey Ham: 01:08:48

No. Absolutely not. Please don't make me do that.

Ralph May: 01:08:51

And you

John Strand: 01:08:52

know that there's a formal deal that's like, we're willing to do it. Good luck. You know? I'm sending a card from oblivion. Yep.

John Strand: 01:09:00

So alright. Let's wrap it up.

Corey Ham: 01:09:01

Bring out the finger. Thank you

John Strand: 01:09:02

so much, everybody.

Corey Ham: 01:09:03

Happy New Year.